Syslogger
Contents
Syslogd is the main logging tool on a GNU/Linux system. It centrally manages logging for your
main system services. This does not provide logging for additional programs as webservers or
mailsevers that have their own logging facilities.
The syslogd is taken from BSD sources, Greg Wettstein (greg@wind.enjellic.com)
performed the port to GNU/Linux, Martin Schulze (joey@linux.de)
made some bugfixes and added some new features.
There are some other logging tools that you could use, some of them are certainly more secure
than the default syslogger.
NSyslogd - http://coombs.anu.edu.au/~avalon/nsyslog.html
On most (not to say all) GNU/Linux-distro the syslog daemon will be installed.
When you want to log messages to another host, you need to make sure that this host
is capable of accepting log-messages. First of all, the daemon
needs to know on what port to listen. For this you need to check the file
/etc/services and look for the line
syslog 514/udp
If it is missing, just add it!
Next, check with netstat -an that there's 'something' listening on udp-port 514.
If it's not, this mains that your daemon isn't started right. Edit the file
/etc/init.d/syslog (or whatever startup script you use for starting the
syslog-daemon) and make sure it looks something like this.
extract of /etc/init.d/syslog
case "$1" in
start)
echo -n "Starting system logger: "
# we don't want the MARK ticks
daemon syslogd -r -m 0
RETVAL=$?
echo
echo -n "Starting kernel logger: "
daemon klogd
echo
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/syslog
;;
The -r option starts the daemon so that it can accept messages from other hosts.
Now just restart the syslog daemon with
/etc/init.d/syslog restart
When you check the output of netstat -an there should be
something on udp-port 514.
When your syslog-server is up and running you now need to provide the clients with the
information so that they can log to this server.
Open the file /etc/syslog.conf in your favorite editor and make it look
something similar like this
extract of /etc/syslog.conf
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# Log all the mail messages in one place.
mail.* /var/log/maillog
# Everybody gets emergency messages, plus log them on another
# machine.
*.emerg *
# Log to external server
*.info;mail.none;authpriv.none;cron.none @syslogger.mydomain.com
This would log to syslogger.mydomain.com :
- *.info
everything with general information
- mail.none
log nothing for mail
- authpriv.none
log nothing that's for private authorization related
- cron.none
log nothing for cron
Now just reload the syslogger with
/etc/init.d/syslog reload
and check the messages on your syslog-server.
Make sure you firewall-out the syslog-port. Otherwise your server could become
rapidly a 'playground' for script-kiddies. Your logs would be filled before you've noticed it.
The default syslogger hasn't many (in fact...none) security settings. If you don't feel comfortable
with this idea, try one of the other loggers mentioned above.
|